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Chapter  1 
Introduction 

An  important  concept  in  network  security  is  the  notion  of  trust,  interpreted  as 
a  set  of  relations  among  entities  that  participate  in  various  protocols  [17].  Trust 
relations  are  based  on  the  previous  behavior  of  an  entity  within  a  protocol.  They 
are  determined  by  rules  that  evaluate,  in  a  meaningful  way,  the  evidence  generated 
by  this  previous  behavior.  What  is  meaningful  depends  on  the  specific  protocol 
(application),  and  on  the  entity  that  calculates  the  validity  of  the  trust  relation. 
The  application  determines  the  exact  semantics  of  trust,  and  the  entity  determines 
how  the  trust  relation  will  be  used  in  the  ensuing  steps  of  the  protocol. 

For  example,  suppose  that  entity  A  wants  to  determine  the  public  key  that 
entity  B  owns.  A  and  B  have  had  no  previous  interactions,  hence  no  trust  relation, 
so  A  has  to  contact  entities  that  have  some  evidence  about  B’s  key.  Relevant  pieces 
of  evidence  in  this  case  are  certificates  binding  B’s  key  to  B’s  identity.  Also,  the 
trustworthiness  of  the  entities  that  issued  these  certificates  should  be  taken  into 
account.  If  A  has  had  previous  interactions  with  these  issuing  entities  then  their 
public  keys  as  well  as  their  trustworthiness  will  be  known  to  A.  Otherwise,  the  same 
steps  will  have  to  be  repeated  for  the  issuing  entities,  recursively.  Finally,  A  will 
evaluate  the  whole  body  of  evidence  and  establish  a  trust  relation  with  B.  In  this 
case,  the  trust  relation  will  be  :  ”A  does  (or  does  not)  believe  that  B’s  key  is  Kg”. 

The  specification  of  admissible  types  of  evidence,  the  generation,  distribution, 
discovery  and  evaluation  of  trust  evidence  are  collectively  called  Trust  Establish¬ 
ment. 
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As  first  pointed  out  in  [17],  there  are  significant  differences  in  the  Trust  Estab¬ 
lishment  process  according  to  the  type  of  network  we  are  considering.  Specifically, 
the  characteristics  peculiar  to  Ad-Hoc  Networks  are  explored  and  contrasted  against 
those  of  the  Internet. 

In  this  work,  we  are  focusing  on  the  evaluation  process  of  trust  evidence  in  Ad- 
Hoc  Networks.  We  will  be  using  the  terms  ’’trust  evaluation”,  ’’trust  computation”, 
and  ’’trust  inference”  interchangeably.  This  process  is  formulated  as  a  path  problem 
on  a  weighted,  directed  graph,  where  nodes  represent  users,  and  edges  represent 
trust  relations.  Each  node  has  direct  relations  only  towards  his  one-hop  neighbors, 
so  all  user  interactions  are  local.  The  aim  is  for  a  node  to  establish  an  indirect 
relation  with  a  node  that  is  far  away;  this  is  achieved  by  using  the  direct  trust 
relations  that  intermediate  nodes  have  with  each  other.  This  locality  requirement 
is  a  distinguishing  feature  of  the  work  reported  here. 

We  are  imposing  the  following  two  main  constraints  on  our  scheme,  based  on 
the  characteristics  of  the  networks  that  we  are  dealing  with: 

•  There  is  no  preestablished  infrastructure. 

The  computation  process  cannot  rely  on,  e.g.,  a  Trusted  Third  Party.  There 
is  no  Public  Key  Infrastructure,  Certification  Authorities,  or  Registration  Au¬ 
thorities  with  elevated  privileges. 

•  Evidence  is  uncertain  and  incomplete. 

Evidence  is  generated  by  the  users  on-the-fly,  without  lengthy  processes.  So, 
it  is  uncertain.  Furthermore,  in  the  presence  of  adversaries,  we  cannot  assume 


2 


that  all  friendly  nodes  will  be  reachable:  the  malicious  users  may  have  rendered 
a  small  or  big  part  of  the  network  unreachable. 

We  require  that  the  results  are  as  accurate  as  possible,  yet  robust  in  the  presence  of 
attackers.  It  is  desirable  to,  for  instance,  identify  all  allied  nodes,  but  it  is  even  more 
desirable  that  no  adversary  is  misidentihed  as  good.  We  use  a  general  framework  for 
path  problems  on  graphs  as  a  mathematical  basis  for  our  proposed  scheme,  and  also 
give  intuitive  requirements  that  any  trust  evaluation  algorithm  should  have  under 
that  framework.  We  evaluate  the  performance  of  the  scheme  with  simulations  on 
various  topologies. 

1.1  Organization 

This  thesis  is  organized  in  five  chapters.  In  the  Introduction,  the  current  chapter, 
the  trust  evaluation  problem  is  placed  into  context,  and  the  aims  for  our  approach 
are  set.  The  second  chapter  describes  and  comments  on  related  work  that  has  been 
done  in  the  held  of  trust  computation.  The  main  ideas  are  exposed,  and  repre¬ 
sentative  examples  are  given.  The  third  chapter  explains  our  approach,  proposes 
a  mathematical  framework  for  trust  computation,  and  describes  intuitive  proper¬ 
ties  that  any  scheme  under  this  framework  should  have.  In  the  fourth  chapter, 
our  proposed  scheme  is  used  for  actual  computation  scenarios,  and  the  results  are 
discussed.  The  fifth  chapter  concludes  the  thesis  and  suggests  future  directions  for 
improvement. 
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Chapter  2 
Related  Work 

In  this  chapter  we  are  examining  previous  work  that  is  relevant  to  the  evaluation 
part  of  the  Trust  Establishment  process.  The  main  aim  is  to  expose  and  comment 
on  the  ideas  presented  in  that  work.  After  this  taxonomy,  representative  examples 
are  given,  that  serve  to  illustrate  the  salient  points. 

2.1  Taxonomy 

2.1.1  System  Model 

The  most  commonly  used  model  is  a  labeled,  directed  graph.  Nodes  represent 
entities,  and  edges  represent  binary  trust  relations.  These  relations  can  be  (for  an 
edge  i  — >  j):  a  public  key  certificate  (issued  by  i  for  f  s  key),  the  likelihood  that  the 
corresponding  public  key  certificate  is  valid,  the  trustworthiness  of  j  as  estimated 
by  i,  etc. 

2.1.2  Centralized  vs  decentralized  trust 

By  centralized  trust  we  refer  to  the  situation  where  a  globally  trusted  party  cal¬ 
culates  trust  values  for  every  node  in  the  system.  All  users  of  the  system  ask  this 
trusted  party  to  give  them  information  about  other  users.  The  situation  described 
has  two  important  implications:  First,  every  user  depends  on  the  trustworthiness 
of  this  single  party,  thus  turning  it  into  a  single  point  of  failure.  Second,  it  is  rea¬ 
sonable  to  assume  that  different  users  are  expected  to  have  different  opinions  about 
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the  same  target;  this  fact  is  suppressed  here. 

The  decentralized  version  of  the  trust  problem  corresponds  to  each  user  being 
the  ” center  of  his  own  world”.  That  is,  users  are  responsible  for  calculating  their 
own  trust  values  for  any  target  they  want.  This  ” bottom-up”  approach  is  the  one 
that  has  been  most  widely  implemented  and  put  into  use,  as  a  part  of  PGP  [50]  for 
public  key  certification. 

Note  that  the  distinction  just  mentioned  refers  to  the  semantics  of  trust.  The 
actual  algorithm  used  for  the  computation  of  trust  is  a  separate  issue:  all  data 
may  be  gathered  at  a  single  user,  where  the  algorithm  will  be  executed;  or  the 
computation  may  be  done  in  a  distributed  fashion,  throughout  the  network;  or  the 
algorithm  may  even  be  localized,  in  the  sense  that  each  node  only  interacts  with  his 
local  neighborhood,  without  expecting  any  explicit  cooperation  from  nodes  further 
away. 

2.1.3  Proactive  vs  reactive  computation 

This  is  an  issue  more  closely  related  to  the  communication  efficiency  of  the  actual 
implementation.  The  same  arguments  as  in  routing  algorithms  apply:  Proactive 
trust  computation  uses  more  bandwidth  for  maintaining  the  trust  relationships  ac¬ 
curate.  So,  the  trust  decision  can  be  reached  without  delay.  On  the  other  hand, 
reactive  methods  calculate  trust  values  only  when  explicitly  needed.  The  choice  de¬ 
pends  largely  on  the  specific  circumstances  of  the  application  and  the  network.  For 
example,  if  local  trust  values  change  much  more  often  than  a  trust  decision  needs 
to  be  made,  then  a  proactive  computation  is  not  favored:  The  bandwidth  used  to 
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keep  trust  values  up  to  date  will  be  wasted,  since  most  of  the  computed  information 
will  be  obsolete  before  it  is  used. 

2.1.4  Extensional  vs  intensional  (scalar  vs  group)  metrics 

One  possible  criterion  to  classify  uncertainty  methods  is  whether  the  uncertainty  is 
dealt  with  extensionally  or  intensionally.  In  extensional  systems,  the  uncertainty 
of  a  formula  is  computed  as  a  function  of  the  uncertainties  of  its  subformulas.  In 
intensional  systems,  uncertainty  is  attached  to  ” state  of  affairs”  or  ’’possible  worlds” . 
In  other  words,  we  can  either  aggregate  partial  results  in  intermediate  nodes  (in- 
network  computation),  or  we  can  collect  all  data  (opinions  and  trust  topology)  at 
the  initiator  of  the  trust  query  and  compute  a  function  that  depends  on  all  details 
of  the  whole  graph. 

As  pointed  out  by  Maurer  [36],  there  seems  to  be  a  trade-off  between  compu¬ 
tational  efficiency  and  semantic  correctness.  Extensional  systems  are  more  efficient, 
whereas  intensional  ones  are  more  correct.  The  notion  of  semantic  correctness  seems 
to  be  related  to  the  attack  resistance  of  a  metric,  since  Levien  ([28])  claimed  that 
scalar  metrics  (as  he  called  extensional  systems)  are  vulnerable  to  single-node  at¬ 
tacks  (see  next  section). 

2.1.5  Attack  resistance  (node/edge  attacks) 

Levien  ([29])  suggested  a  criterion  for  measuring  the  resistance  of  a  trust  metric 
to  attackers.  First,  he  distinguished  between  two  types  of  attacks:  node  attacks, 
and  edge  attacks.  Node  attacks  amount  to  a  certain  node  being  impersonated.  So, 
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the  attacker  can  issue  any  number  of  arbitrary  opinions  (public  key  certificates  in 
Levien’s  case)  from  the  compromised  node  about  any  other  node. 

Edge  attacks  are  more  constrained:  Only  one  false  opinion  can  be  created  per 
each  attack.  In  other  words,  an  attack  of  this  type  is  equivalent  to  inserting  a  false 
edge  in  the  trust  graph.  Obviously,  a  node  attack  is  the  more  powerful  of  the  two, 
since  it  permits  the  insertion  of  an  arbitrary  number  of  false  edges. 

The  attack  resistance  of  a  metric  can  be  gauged  by  the  number  of  node  or 
edge  attacks,  or  both,  that  are  needed  before  the  metric  can  be  manipulated  beyond 
some  threshold.  For  instance,  in  [42]  Reiter  and  Stubblebine  show  that  a  single 
misbehaving  entity  (a  1-node  attack)  can  cause  the  metric  proposed  in  [3]  to  return 
an  arbitrary  result. 

Here  an  important  clarification  has  to  be  made:  there  are  trust  graphs  that 
are  ’’weaker”  than  others.  When,  for  example,  there  exists  only  a  single,  long 
path  between  the  source  and  the  destination,  then  any  decent  metric  is  expected 
to  give  a  low  trust  value.  So,  the  attack  resistance  of  a  metric  is  normally  judged 
by  its  performance  in  these  ’’weak”  graphs.  This  line  of  thinking  also  hints  at  why 
intensional  systems  (group  metrics)  perform  better  than  extensional:  They  take  into 
account  the  whole  graph,  so  they  can  identify  graph  ’’weaknesses”  more  accurately. 

2.1.6  Negative  and  positive  evidence  (certificate  revocation) 

It  is  desirable  to  include  both  positive  and  negative  evidence  in  the  trust  model. 
The  model  is  then  more  accurate  and  flexible.  It  corresponds  better  to  real-life 
situations,  where  interactions  between  two  parties  can  lead  to  either  satisfaction  or 
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complaints.  When  a  node  is  compromised  (e.g.  its  private  key  is  stolen)  the  public 
key  certificates  for  this  node  should  be  revoked.  So,  revocation  can  be  seen  as  a 
special  case  of  negative  trust  evidence. 

On  the  other  hand,  the  introduction  of  negative  evidence  complicates  the 
model.  Specifically,  an  attacker  can  try  to  deface  good  nodes  by  issuing  false  negative 
evidence  about  them.  If,  as  a  countermeasure  to  that,  issuing  negative  evidence  is 
penalized,  good  nodes  may  refrain  from  reporting  real  malicious  behavior  for  fear 
of  being  penalized. 

2.1.7  What  layer  should  trust  be  implemented  in? 

An  important  issue  that  is  often  glossed  over  is  the  layer  at  which  the  trust  protocol 
will  operate.  That  is,  the  services  required  by  the  protocol  and  the  services  it  offers 
should  be  made  clear,  especially  its  relationship  to  other  security  components.  As 
pointed  out  in  [7],  some  secure  routing  protocols  assume  that  security  associations 
between  protocol  entities  can  be  established  with  the  use  of  a  trust  establishment 
algorithm,  e.g.  by  discovering  a  public  key  certificate  chain  between  two  entities. 
However,  in  order  to  offer  its  services,  the  trust  establishment  algorithm  may  often 
assume  that  routing  can  be  done  in  a  secure  way.  This  creates  a  circular  dependency 
that  should  be  broken  if  the  system  as  a  whole  is  to  operate  as  expected. 

2.2  Representative  Examples 

Some  of  the  following  examples  have  been  cast  in  the  public  key  certification  frame¬ 
work,  whereas  others  are  more  general.  However,  they  can  all  be  viewed  as  trust 


evaluation  metrics,  insofar  as  they  compute  a  trust  ”  value”  for  a  statement  like  ”Is 
this  public  key  certificate  valid?” . 

2.2.1  Decentralized  Trust  Management 

Blaze,  Feigenbaum,  and  Lacy  [6]  seem  to  have  been  the  first  to  introduced  the 
term  ’’Trust  Management”,  and  identified  it  as  a  separate  component  of  security 
services  in  networks.  They  designed  and  implemented  the  PolicyMaker  trust  man¬ 
agement  system,  which  provided  a  unified  framework  for  describing  policies  (rules), 
credentials  (trust  evidence),  and  trust  relationships.  Also,  this  system  was  locally 
controlled,  since  it  did  not  rely  on  a  centralized  authority  to  evaluate  the  credentials: 
Each  user  had  the  freedom  and  the  responsibility  to  reach  his  own  decisions. 

The  main  issues  in  this  and  related  work  (KeyNote  [5],  SPKI/SDSI  [13],  Del¬ 
egation  Logic  [30],  Trust  Policy  Language  [22],  also  [46])  are:  the  language  in  which 
the  credentials  and  the  policies  will  be  described;  the  compliance-checking  algorithm 
that  checks  if  the  credentials  satisfy  the  policy  rules;  and  the  algorithm  for  the  dis¬ 
covery  of  the  credentials  in  the  first  place  (remember,  credentials  can  be  stored 
throughout  the  network).  Note  that  a  graph  is  often  used  for  depicting  the  creden¬ 
tials  issued  by  an  entity  i  for  an  entity  j,  and  the  edges  of  the  graph  are  labeled 
according  to  the  parameters  of  the  credential. 

2.2.2  PGP  trust  metric 

In  PGP  [50],  a  distinction  is  made  between  the  validity  of  a  public  key  and  its  trust 
level.  Bob’s  key  is  valid  for  Alice,  if  Alice  believes  that  it  really  belongs  to  Bob.  The 
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trust  level  of  Bob’s  key  corresponds  to  how  carefully  Bob  authenticates  keys  before 
issuing  certificates  for  them.  The  trust  levels  of  the  keys  known  to  Alice  are  assigned 
in  any  way  Alice  wants.  PGP  only  determines  the  validity  of  a  key  according  to 
how  many  keys  have  signed  it,  and  what  the  trust  levels  of  the  signing  keys  are. 
The  default  rules  for  computing  the  validity  of  keys  are  described  next,  but  a  user 
is  free  to  change  them. 


Trust  level  of 

Validity  rule 

signing  key 

unknown 

Certificates  signed  with  unknown  keys  are  ignored. 

untrusted 

Certificates  signed  with  untrusted  keys  are  ignored. 

marginally 

Key  is  valid  if  2  or  more  marginally  trusted  keys  have 

trusted 

signed  it. 

fully  trusted 

Key  is  valid  if  1  or  more  fully  trusted  keys  have  signed  it. 

2.2.3  Probabilistic 


Maurer’s  metric  ([36], [27])  assigns  weights  Wij  G  [0,1]  to  edges.  These  weights 
correspond  to  i’s  opinion  about  the  trustworthiness  of  the  certificate  issued  for  f  s 
public  key,  i.e.  to  what  degree  i  believes  that  the  {public  key  -  owner  ID}  binding 
implied  by  the  edge  i  — >  j  has  been  properly  certified.  The  weights  are  then  treated 
as  link  survival  probabilities.  The  metric  calculates  the  probability  that  at  least  one 
path  survives  that  leads  from  the  entity  evaluating  the  metric  to  the  entity  involved 
in  the  certificate  in  question. 
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2.2.4  Path  Independence 


Reiter  and  Stubblebine  ([41], [42])  introduced  the  concept  of  path  independence  for 
entity  authentication.  They  argued  that  multiple  independent  paths  are  a  safer  way 
to  authenticate  Bob  than  either  the  reachability  or  the  bounded  reachability  metric. 
Their  proposal  was  a  Bounded  Length  Independent  Paths  metric  which  returns  a 
set  of  node-disjoint  paths  from  Alice  to  Bob  which  are  shorter  than  K  hops.  Since 
the  computation  of  this  metric  is  an  NP-complete  problem  for  K  >  5  they  gave 
approximation  algorithms.  Note  that  if  we  drop  the  bounded  length  constraint,  the 
problem  becomes  polynomial. 

In  a  subsequent  paper  the  same  people  suggested  a  different  metric,  based 
on  network  flow  techniques.  The  model  being  the  same,  weights  were  added  on 
the  edges  indicating  the  amount  of  money  that  the  issuer  will  pay  to  anyone  who 
is  misled  because  of  the  certificate.  Being  misled  means  falsely  authenticating  the 
certified  entity  or  incurring  losses  because  the  certified  entity  misbehaves.  Treating 
the  edge  weights  as  capacities,  the  metric  calculates  the  maximum  flow  from  Alice 
to  Bob.  This  is  the  minimum  amount  of  money  for  which  Alice  is  insured  in  the  case 
of  her  being  misled  by  Bob’s  key.  Note  that  if  all  edges  are  assigned  unit  capacities, 
this  metric  calculates  the  number  of  edge-disjoint  paths  from  Alice  to  Bob. 

2.2.5  Flow  based 

Levien’s  metric  ([29])  is  also  network  flow  based.  After  assigning  edge  capacities 
the  metric  treats  trust  as  a  commodity  that  flows  from  Alice  to  Bob.  Alice  has  unit 


11 


quantity  of  trust  and  tries  to  send  it  to  Bob.  The  metric  calculates  how  much  of 
this  unit  quantity  reaches  Bob.  By  suitably  assigning  capacities,  the  metric  is  made 
more  resistant  to  attacks.  However,  some  assumptions  in  this  work  are  not  realistic, 
e.g.  that  all  nodes  have  the  same  indegree  d. 

2.2.6  Subjective  Logic 

Jpsang  ([24])  has  developed  an  algebra  for  assessing  trust  relations,  and  he  has  ap¬ 
plied  it  to  certification  chains.  To  a  statement  like  ’'The  key  is  authentic”  he  is 
assigning  a  triplet  (called  opinion )  ( b,d,u )  G  [0,  l]3  :  b  +  d  +  u  =  1,  where  b,  d, 
and  u  designate  belief,  disbelief,  and  uncertainty  respectively.  Belief  (disbelief)  in  a 
statement  increases  when  supporting  (contradicting)  evidence  appears.  Uncertainty 
is  caused  by  the  lack  of  evidence  to  support  either  belief  or  disbelief.  When  un¬ 
certainty  is  zero,  these  triplets  are  interpreted  as  a  traditional  probability  metric. 
An  opinion  is  qualified  by  the  user  who  issues  it,  and  by  the  statement  it  refers  to: 
to*  =  {by,  dy,  Uy}  is  user  X’s  opinion  about  Y.  Y  can  be  a  user,  in  which  case  c jy 
is  X’s  opinion  about  the  quality  of  Y’s  recommendations,  or  Y  can  be  a  statement 
such  as  ’’The  key  is  authentic”. 

2.2.7  Local  Interaction 

Trust  computation  based  on  interactions  with  one-hop  physical  neighbors  is  a  typ¬ 
ical  case  for  extensional  systems.  In  [8],  for  instance,  first-hand  observations  are 
exchanged  between  neighboring  nodes.  Assume  i  receives  from  j  evidence  about 
k.  First  of  all,  i  adjusts  his  opinion  for  j,  based  on  how  close  f  s  evidence  is  to  i’s 
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previous  opinion  about  k.  If  it  is  not  closer  than  some  threshold,  the  new  evidence 
is  discarded,  and  i  lowers  his  opinion  about  j.  Otherwise,  i  increases  his  trust  for  j 
and  the  new  evidence  is  merged  with  i' s  existing  opinion  for  k.  The  whole  process 
is  based  on  local  message  exchange. 

In  [33] ,  a  group  Q  of  users  is  selected,  and  they  are  asked  to  give  their  opinion 
about  a  certain  target  node.  The  end  result  is  a  weighted  average  of  their  opinions 
and  any  preexisting  opinion  that  the  initiator  node  may  have.  One  possible  selection 
for  the  group  Q  is  the  one-hop  neighbors  of  the  initiator. 

In  the  EigenTrust  algorithm  [26],  nodes  exchange  vectors  of  personal  ob¬ 
servations  (called  local  trust  values )  with  their  one-hop  neighbors.  Node  V s  lo¬ 
cal  trust  value  for  node  j  is  denoted  by  Ci3.  These  trust  values  are  normalized 
(Vi  :  £ .  dj  =  1).  Each  node  i  calculates  global  trust  values  t^  for  all  other  nodes 
j  by  the  following  iterative  computation:  ,  where  tfj  =  Ckj.  If 

C  =  [cy,]  is  the  local  trust  value  matrix  (row  i  holds  node  i’s  local  trust  values), 
then  the  above  iteration  essentially  solves  the  following  system  of  linear  equations 
for  T: 

T  =  CT 

where  T  =  [tij]  contains  the  global  trust  values. 

Under  some  assumptions  for  C,  all  rows  of  T  are  identical:  All  nodes  i  have 
the  same  opinion  about  any  particular  node  j.  The  assumptions  for  C  are  that  it 
is  irreducible  and  aperiodic.  If  C  is  viewed  as  the  transition  probability  matrix  of 
a  Markov  chain,  then  each  of  T’s  rows  is  the  steady  state  probability  distribution, 
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and  also  the  left  principal  eigenvector  of  C . 
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Chapter  3 

Our  Approach 

3.1  System  Model 

We  view  the  trust  inference  problem  as  a  generalized  shortest  path  problem  on  a 
weighted  directed  graph  G(V,E )  ( trust  graph).  The  vertices  of  the  graph  are  the 
users/entities  in  the  network.  A  weighted  edge  from  vertex  i  to  vertex  j  corresponds 
to  the  opinion  that  entity  i,  also  referred  to  as  the  issuer,  has  about  entity  j,  also 
referred  to  as  the  target.  The  weight  function  is  l{i,  j)  :  V  x  V  — >  S,  where  S  is 
the  opinion  space. 

Each  opinion  consists  of  two  numbers:  the  trust  value,  and  the  confidence 
value.  The  former  corresponds  to  the  issuer’s  estimate  of  the  target’s  trustworthi¬ 
ness.  For  example,  a  high  trust  value  may  mean  that  the  target  is  one  of  the  good 
guys,  or  that  the  target  is  able  to  give  high  quality  location  information,  or  that  a  dig¬ 
ital  certificate  issued  for  the  target’s  public  key  is  believed  to  be  correct.  On  the  other 
hand,  the  confidence  value  corresponds  to  the  accuracy  of  the  trust  value  assignment. 
A  high  confidence  value  means  that  the  target  has  passed  a  large  number  of  tests 
that  the  issuer  has  set,  or  that  the  issuer  has  interacted  with  the  target  for  a  long 
time,  and  no  evidence  for  malicious  behavior  has  appeared.  Since  opinions  with  a 
high  confidence  value  are  more  useful  in  making  trust  decisions,  the  confidence  value 
is  also  referred  to  as  the  quality  of  the  opinion.  The  space  of  opinions  can  be  visual¬ 
ized  as  a  rectangle  (ZERCLTRUST,  MAX _T RUST)  x  (ZERCLCONF,  MAX_CONF) 
in  the  Cartesian  plane  (Figure  3.1,  for  S  =  [0, 1]  x  [0.1]). 
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Figure  3.1:  Opinion  space 

Both  the  trust  and  the  confidence  values  are  assigned  by  the  issuer,  in  accor¬ 
dance  with  his  own  criteria.  This  means  that  a  node  that  tends  to  sign  public  key 
certificates  without  too  much  consideration  will  often  give  high  trust  and  high  con¬ 
fidence  values.  The  opposite  holds  true  for  a  strict  entity.  When  two  such  entities 
interact,  it  is  important  for  the  stricter  entity  to  assign  a  low  enough  trust  value 
to  the  less  strict  one.  Otherwise,  the  less  strict  entity  may  lead  the  stricter  one 
to  undesirable  trust  decisions.  This  situation  is  easier  to  picture  in  the  context  of 
Certification  Authorities  and  public  key  certification.  There,  a  CA  A  will  only  give 
a  high  trust  value  to  B,  if  B’s  policy  for  issuing  certificates  is  at  least  as  strict  as 
A’s  and  has  the  same  durability  characteristics  [17]. 

Also,  it  is  assumed  that  nodes  assign  their  opinions  based  on  local  observations. 
For  example,  each  node  may  be  equipped  with  a  mechanism  that  monitors  neighbors 
for  evidence  of  malicious  behavior,  as  in  [35].  Alternatively,  two  users  may  come  in 
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close  contact  and  visually  identify  each  other,  or  exchange  public  keys,  as  suggested 
in  [12].  In  any  case,  the  input  to  the  system  is  local:  however,  extant  pieces  of 
evidence  based  on,  e.g.,  previous  interactions  with  no  longer  neighboring  nodes  can 
also  be  taken  into  account  for  the  final  decision.  This  would  come  into  play  when 
two  nodes  that  have  met  in  the  past  need  now  to  make  a  trust  decision  for  each 
other.  Of  course,  the  confidence  value  for  such  evidence  would  diminish  over  time. 
One  consequence  of  the  locality  of  evidence  gathering  is  that  the  trust  graph  initially 
overlaps  with  the  physical  topology  graph:  The  nodes  are  obviously  the  same,  and 
the  edges  are  also  the  same  if  the  trust  weights  are  not  taken  into  account.  As  nodes 
move,  opinions  for  old  neighbors  are  preserved,  so  the  trust  graph  will  have  more 
edges  than  the  topology  graph.  However,  as  time  goes  by,  these  old  opinions  fade 
away,  and  so  do  the  corresponding  edges. 

In  the  framework  described,  two  versions  of  the  trust  inference  problem  can 
be  formalized.  The  first  is  finding  the  trust-confidence  value  that  a  source  node 
A  should  assign  to  a  destination  node  B,  based  on  the  intermediate  nodes’  trust- 
confidence  values.  Viewed  as  a  generalized  shortest  path  problem,  it  amounts  to 
finding  the  generalized  distance  between  nodes  A  and  B.  The  second  version  is 
finding  the  most  trusted  path  between  nodes  A  and  B.  That  is,  find  a  sequence  of 
nodes  (v0  =  A,  vlt .. . ,  ry  =  B)  :  (uj,  vi+i )  £  E,0  <  i  <  k  —  1  that  has  the  highest 
aggregate  trust  value  among  all  trust  paths  starting  at  A  and  ending  at  B.  A  high 
level  view  of  the  system  is  shown  in  Figure  3.2. 

Both  problems  are  important:  finding  a  target’s  trust  value  is  needed  before 
deciding  whether  to  grant  him  access  to  one’s  hies,  or  whether  to  disclose  sensitive 
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Figure  3.2:  System  operation 
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information,  or  what  kind  of  orders  he  is  allowed  to  give  (in  a  military  scenario, 
for  instance).  With  this  approach,  a  node  will  be  able  to  rely  on  other  nodes’  past 
experiences  and  not  just  his  own,  which  might  be  insufficient.  The  second  problem 
is  more  relevant  when  it  comes  to  actually  communicating  with  a  target  node.  The 
target  node  being  trustworthy  is  one  thing,  but  finding  a  trusted  path  of  nodes  is 
needed,  so  that  traffic  is  routed  through  them.  Note  that  this  does  not  necessarily 
reduce  to  the  previous  problem  of  finding  the  trust  distance  between  the  nodes,  as 
is  the  case  for  the  usual  shortest  path  problem  in  a  graph.  In  the  trust  case,  we 
will  usually  utilize  multiple  trust  paths  to  find  the  trust  distance  from  the  source 
to  the  destination,  since  that  will  increase  the  evidence  on  which  the  source  bases 
its  final  estimate.  Consequently,  there  may  be  more  than  one  paths  contributing  to 
this  estimate. 

The  core  of  our  approach  is  the  two  operators  that  are  used  to  combine  opin¬ 
ions:  One  operator  (denoted  <S>)  combines  opinions  along  a  path,  i.e.  A’s  opinion  for 
B  is  combined  with  B’s  opinion  for  C  into  one  indirect  opinion  that  A  should  have 
for  C,  based  on  B’s  recommendation.  The  other  operator  (denoted  ©)  combines 
opinions  across  paths,  i.e.  A’s  indirect  opinion  for  X  through  path  pi  is  combined 
with  A’s  indirect  opinion  for  X  through  path  p 2  into  one  aggregate  opinion  that  rec¬ 
onciles  both.  Then,  these  operators  can  be  used  in  a  general  framework  for  solving 
path  problems  in  graphs,  provided  they  satisfy  certain  mathematical  properties,  i.e. 
form  an  algebraic  structure  called  a  semiring.  More  details  on  this  general  frame¬ 
work  are  in  section  3.2.  Two  existing  trust  computation  algorithms  (PGP  [50]  and 
EigenTrust  [26])  are  modeled  as  operations  on  two  particular  semirings.  Note  that 
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our  approach  differs  from  PGP  in  that  it  allows  the  user  to  infer  trust  values  for 


unknown  users /keys.  That  is,  not  all  trust  values  have  to  be  directly  assigned  by 
the  user  making  the  computations.  The  operators  are  discussed  in  greater  depth  in 
section  3.3. 

3.2  Semirings 

For  a  more  complete  survey  of  the  issues  briefly  exposed  here,  see  [43]. 

3.2.1  Definitions 

A  semiring  is  an  algebraic  structure  (S,  ©,  ©),  where  S'  is  a  set,  and  ©,  ©  are  binary 
operators  with  the  following  properties  (a,  b,  c  G  S): 

•  ©  is  commutative,  assosiative,  with  a  neutral  element  ©  G  S: 

a  ©  b  =  b  ©  a 
(a  ©  b)  ©  c  =  a  ©  (b  ©  c) 
a  ©  ©  =  a 

•  ©  is  associative,  with  a  neutral  element  Q  G  S,  and  ©  as  an  absorbing 
element: 


(a  ©  b)  ©  c  =  a  ©  {b  ©  c) 
a  ©  Q  =  Q  ©  a  =  a 

a©  ©  =  ©  ©a  =  © 


20 


•  (8)  distributes  over  ©: 


(a  ©  b)  8  c  =  (a  ©  c)  ©  (a  ©  c) 

a  ©  (6  ©  c)  =  (a  ©  6)  ©  (a  ©  c) 

A  semiring  (A,  ©,  ©)  with  a  partial  order  relation  ©  that  is  monotone  with 
respect  to  both  operators  is  called  an  ordered  semiring  ( S ,  ©,  ©,  ©): 

a  ©  b  and  a'  ©  b'  = =>-  a  ©  a'  ©  6  ©  6'  and  a  ©  a'  ©  b  ©  b1 

An  ordered  semiring  (S',  ©,  ©,  ©)  is  ordered  by  the  difference  relation  if: 

Va,  b  e  S  :  (a  ©  b  3  z  &  S  \  a®  z  =  b) 

A  semiring  is  called  idempotent  when  the  following  holds: 

VoGS':a©a  =  a 

3.2.2  Semirings  for  path  problems 

In  the  context  of  the  generalized  shortest  path  problem  in  a  weighted  graph,  ©  is  the 
operator  used  to  calculate  the  weight  of  a  path  based  on  the  weights  of  the  path’s 
edges: 

P  =  (v0,  vi,...,  vk),  w(p)  =  w(v0,  ui)  ©  w(v  i,  v2 )  ©  ...  ©  w(ufc-i,  vk) 

The  ©  operator  is  used  to  compute  the  shortest  path  weight  dij  as  a  function  of  all 
paths  from  the  source  i  to  the  destination  j: 

dij  =  ®  w(p) 

p  is  a  path 
from  i  to  j 
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In  the  familiar  context  of  edge  weights  being  transmission  delays,  the  semiring 
used  is  (5R+  U  {oo},  min,  +),  i.e.  ©  is  min,  and  ©  is  +:  The  total  delay  of  a  path 
is  equal  to  the  sum  of  all  constituent  edge  delays,  whereas  the  shortest  path  is  the 
one  with  minimum  delay  among  all  paths.  Also,  ©  is  oo ,  and  (T)  is  0.  On  the  other 
hand,  if  edge  weights  are  link  capacities,  then  the  maximum  bottleneck  capacity 
path  is  found  by  the  semiring  (9R+  U  {oo},  max,  min),  with  ©  =  0,  Q  =  oo.  The 
transitive  closure  of  a  graph  uses  the  Boolean  semiring:  ({0, 1},  V,  A),  where  all  edge 
weights  are  equal  to  1.  This  answers  the  problem  of  path  existence. 

Note  that  the  ©  operator  may  pick  a  single  path  weight  (as  is  the  case  with 
max  and  min)  or  it  may  explicitly  combine  information  from  all  paths  (addition  or 
multiplication). 

3.2.3  Semirings  for  systems  of  linear  equations 

An  equivalent  way  to  describe  the  previous  shortest  path  problem  is  by  way  of 
a  system  of  equations  that  the  shortest  path  weights  and  the  edge  weights  should 
satisfy.  If  a y  is  the  weight  of  the  edge  (i,j),  with  ©  being  the  weight  of  non-existent 
edges,  and  x%]  is  the  shortest  path  weight  from  i  to  j,  then  the  following  equation 
has  to  hold  (assume  there  exist  n  nodes): 

n 

xij  =  (J) {dik  ©  Xkj) 
k=  1 

For  example,  when  edge  weights  are  transmission  delays,  this  equation  becomes: 

=  min  (aik  +  xkj) 

l<k<n 
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Note,  also,  that  if  ©  and  ©  are  the  usual  addition  and  multiplication,  respectively, 
then  the  first  of  the  above  equations  becomes  exactly  matrix  multiplication. 

n 

xij  =  0>ikxkj  O  X  =  AX,  X  =  [Xij]nxn  ,A  =  [aZJ]nxn 

k= 1 

We  will  use  this  fact  in  a  later  section  to  model  an  existing  trust  computation 
algorithm. 

3.2.4  Semirings  in  previous  work  on  trust 

Semirings  have  not  been  used  in  the  context  of  trust  management,  with  one  exception 
[4] .  In  this  paper,  the  aim  is  to  combine  access  control  policies,  and  come  up  with  one 
that  maximally  satisfies  the  imposed  constraints.  The  problem  is  seen  as  a  Semiring- 
based  Constraint  Satisfaction  Problem,  in  which  the  constraints  are  defined  over  a 
semiring. 

In  order  to  show  the  modeling  power  of  this  framework,  we  now  model  PGP’s 
web  of  trust  computations  [50]  as  a  semiring.  Remember  that  PGP  computes  the 
validity  of  an  alleged  key-to-user  binding,  as  seen  from  the  point  of  view  of  a  par¬ 
ticular  user,  henceforth  called  the  source.  The  input  to  the  computation  algorithm 
consists  of  three  things:  The  source  node,  the  graph  of  certificates  issued  by  users 
for  each  other,  and  the  trust  values  for  each  user  as  assigned  by  the  source.  Note 
that  the  validity  of  all  key-to-user  bindings  has  to  be  verified,  since  only  certificates 
signed  by  valid  keys  are  taken  into  account,  and  any  certificate  may  influence  the 
validity  of  a  key-to-user  binding. 

The  validity  of  the  key-to-user  binding  for  user  i  will  be  deduced  from  the 


23 


vector  di  G  Nfc,  where  k  is  the  number  of  different  trust  levels  defined  by  PGP.  It 
seems  that  k  is  4  (” unknown”,  ” untrusted”,  ’’marginally  trusted”,  ’’fully  trusted”), 
but  some  include  a  fifth  level  :  ’’ultimately  trusted”.  Our  analysis  is  independent  of 
the  exact  value  of  k.  The  vector  d,  will  hold  the  number  of  valid  certificates  for  user 
i  that  have  been  signed  by  users  of  each  trust  level.  For  example,  di  =  (0, 1,  2,  3) 
means  that  one  ’’untrusted”,  two  ’’marginally  trusted”,  and  three  ’’fully  trusted” 
users  have  issued  certificates  for  user  i’s  public  key.  In  addition,  all  six  of  these 
certificates  are  signed  by  valid  keys,  i.e.  keys  for  which  the  key-to-user  binding  has 
been  verified. 

In  order  to  verify  the  actual  validity  of  the  binding,  we  will  use  the  function 
val  :  — >  V,  where  V  is  the  space  of  admissible  results.  For  simplicity,  we  will  be 

assuming  that  V  ={”  invalid”,  ’’valid”},  although  values  such  as  ’’marginally  valid” 
have  also  been  proposed.  The  output  of  val  for  a  specific  input  is  determined 
by  thresholds  such  as:  ”A  key-to-user  binding  is  valid  if  at  least  two  ’’marginally 
trusted”  users  have  issued  a  certificate  for  it” .  These  thresholds  are  incorporated  in 
val  and  will  be  transparent  to  our  analysis.  Finally,  for  computation  simplicity  we 
will  be  assuming  that  V  =  (0, 1},  where  ’’invalid”  =  0,  and  ” valid”  =  1. 

The  edge  weights  Wij  G  Nfc,l  <  i,j  <  n,  where  n  is  the  number  of  users, 
correspond  to  the  certificate  from  i  about  j’s  alleged  public  key.  A  weight  can  only 
have  one  of  k  +  1  possible  values.  Either  it  consists  only  of  Os,  or  of  exactly  k—  1 
Os  and  one  1.  An  all-zero  weight  means  that  there  is  no  certificate  from  i  about  j's 
key.  An  1  in  the  position  that  corresponds  to  trust  level  t  means  that  the  source 
has  assigned  trust  level  t  to  i,  and  i  has  issued  a  certificate  for  j. 
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The  <8)  operator  is  defined  as  follows  (a,  b  G  Nk)\ 


a®b  =  val(a)6  G 

The  ©  operator  is  defined  exactly  as  vector  addition  in 

Verification  of  the  semiring  properties 

For  ©,  the  absorbing  element  is  ©  =  (0, . . . ,  0)  G  Nk,  and  the  neutral  element  is 
©  =  {a:  G  Nk  :  val(  x)  =  1}.  That  is,  all  such  vectors  are  mapped  to  Q;  for  our 
purposes,  they  are  equivalent.  It  is  trivial  to  prove  that  ©  is  a  neutral  element  for 
©. 

The  ©  operator  is  associative: 

a®  (b®  c)  —  a®  (val(6)c)  =  val(a)val(6)c 

(a  ®b)  ®  c  =  (val(a)6)  ®  c  =  val(val(a)6)c 

and  these  two  are  equal  because  val(©)=0. 

The  ©  operator  is  commutative  and  associative,  because  it  is  vector  addition. 
The  ©  operator  distributes  over  ©: 

a  ©  (b  ©  c)  =  val(a)(6  +  c) 

(a  ©  b)  ©  (a  ©  c)  =  val(a)6  +  val(a)c 

The  following  computation  algorithm  uses  the  above  semiring  to  compute  the 
validity  or  otherwise  of  all  keys  in  the  certificate  graph  G.  The  source  node  is  s  and 
the  function  w  maps  edges  to  edge  weights. 
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PGP-Semiring-Calculation(G,  w,  s ) 

1  for  i  <—  1  to  \V\ 

2  do  d[i\  <—  © 

3  d[s\  (T) 

4  S^{s] 

5  while  S  ^  0 

6  do  u  < —  Dequeue(S') 

7  for  each  v  G  Neighbors [u] ,  such  that  val(d[u])  =  0 

8  do 

9  d[v]  <—  d[v]  ©  (d[u\  ©  w(u,  v)) 

10  if  val(d[u])  =  1 

11  then  Enqueue(S',  v) 

The  computation  starts  at  the  source  s,  and  progressively  computes  the  va¬ 
lidity  of  all  keys  reachable  from  s  in  the  certificate  graph.  The  queue  S  contains  all 
valid  keys  for  which  the  outgoing  edges  (certificates  signed  with  these  keys)  have  not 
been  examined  yet.  When  a  key  is  extracted  from  S,  its  certificates  to  other  keys 
are  examined,  and  their  d-vectors  are  updated.  Only  certificates  to  so-far-invalid 
keys  are  examined,  since  adding  a  certificate  to  the  d- vector  of  a  key  already  shown 
to  be  valid  is  redundant.  If  a  so-far-invalid  key  obtains  enough  certificates  to  be¬ 
come  valid,  it  is  added  to  the  queue  for  future  examination.  Each  key  is  enqueued 
at  most  once  (when  it  becomes  valid),  and  all  keys  in  the  queue  are  eventually  de¬ 
queued.  Ergo,  the  algorithm  terminates.  After  termination,  all  valid  keys  have  been 
discovered. 
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Note  that  if  s  is  only  interested  in  the  validity  of  a  particular  key-to-user 
binding,  then  the  algorithm  can  stop  earlier:  as  soon  as  its  validity  is  determined, 
or  after  all  certificates  for  that  key  have  been  examined. 

We  can  also  model  the  EigenTrust  algorithm  [26]  as  a  semiring.  Using  the 
system  of  linear  equations  interpretation  of  a  semiring,  the  EigenTrust  algorithm 
solves  the  following  matrix  equation  for  T : 

n 

T  =  CT  tij  =  ^  C^tkj 

k= 1 

where  the  semiring  operators  are  the  usual  addition  and  multiplication. 

3.3  Trust  Semiring 

3.3.1  Intuitive  Requirements 

Based  on  intuitive  concepts  about  trust  establishment,  we  can  expect  the  binary 
operators  to  have  certain  properties  in  addition  to  those  required  by  the  semiring 
structure. 

Since  an  opinion  should  deteriorate  along  a  path,  we  require  the  following  for 
the  <8)  operator  (a,  6  e  S'): 

a  ®b  ^  a,b 

where  y<  is  the  difference  relation  defined  in  Section  3.2.  Note  that  the  total  opinion 
along  a  path  is  ’’limited”  by  the  source’s  opinion  for  the  first  node  in  the  path. 

The  element  (0)  (neutral  element  for  ©,  absorbing  for  ©)  is  the  set  of  opinions 
(t,  ZERO_CONF),  for  any  t  e  [0, 1],  which,  in  essence,  corresponds  to  non-existent 
trust  relations  between  nodes.  The  motivation  is  that  if  a  (0)  is  encountered  along 
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a  path,  then  the  whole  path  ’’through”  this  opinion  should  have  zero  confidence. 
Also,  such  opinions  should  be  ignored  in  ©-sums. 

The  element  Q  (neutral  element  for  ©)  is  the  ’’best”  opinion  that  can  be  as¬ 
signed  to  a  node:  (MAX_TRUST,  MAX_CONF).  This  can  be  seen  as  the  opinion  of 
a  node  about  itself.  Also,  it  is  the  desirable  point  of  convergence  of  the  opinions  of 
all  good  nodes  about  all  other  good  nodes  in  the  classification  example.  If  encoun¬ 
tered  along  a  path,  @  effectively  contracts  the  corresponding  edge  and  identifies  the 
nodes  at  its  endpoints  for  the  purposes  of  the  aggregation. 

Regarding  aggregation  across  paths  with  the  ©  operator,  we  generally  expect 
that  opinion  quality  will  improve,  since  we  have  multiple  opinions.  If  the  opinions 
disagree,  the  more  confident  one  will  weigh  heavier.  In  a  fashion  similar  to  the  © 
operator,  we  require  that  the  ©  operator  satisfies  (a,  b  G  S ): 

a  ©  b  y  a,b 


3.3.2  Path  semiring 

In  this  semiring,  the  opinion  space  is  S  =  [0, 1]  x  [0, 1]  Our  choice  for  the  ©  and  © 
operators  is  as  follows  (Figure  3.3): 


( tiki  Cik)  ®  (tkji  Ckj) 


(tP1  t?1 

\Lij  i  Lij 


J'ikt'kj  ?  CikCkj  ) 

/ 

(3.1) 

if  >  'P 

<  (*?><£) 

if  (y  <(v 

(3.2) 

(max(t^1 ,  ) ,  Cij ) 

''  <J!i  =  Cp  =  <-u 

where  (tpj,  c?j)  is  the  opinion  that  i  has  formed  about  j  along  the  path  p\ . 
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Figure  3.3:  (8)  and  ©  operators  for  the  Path  semiring 

Since  both  the  trust  and  the  confidence  values  are  in  the  [0, 1]  interval,  they 
both  decrease  when  aggregated  along  a  path.  When  opinions  are  aggregated  across 
paths,  the  one  with  the  highest  confidence  prevails.  If  the  two  opinions  have  equal 
confidences  but  different  trust  values,  we  pick  the  one  with  the  highest  trust  value. 
We  could  have  also  picked  the  lowest  trust  value;  the  choice  depends  on  the  desired 
semantics  of  the  application. 

This  semiring  essentially  computes  the  trust  distance  along  the  most  confident 
trust  path  to  the  destination.  An  important  feature  is  that  this  distance  is  computed 
along  a  single  path,  since  the  ©  operator  picks  exactly  one  path.  Other  paths  are 
ignored,  so  not  all  available  information  is  being  taken  into  account.  One  of  the 
advantages  is  that  if  the  trust  value  turns  out  to  be  high,  then  a  trusted  path  to 
the  destination  has  also  been  discovered.  Also,  fewer  messages  are  exchanged  for 
information  gathering. 
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Verification  of  the  semiring  properties 

The  neutral  elements  for  this  semiring  are:  @  =  (f,0),  for  any  t,  and  (T)  =  (1, 1). 
We  can  verify  this  by  direct  substitution. 

The  <8)  operator  is  both  associative  and  commutative,  since  the  underlying 
multiplication  operator  is.  The  ©  operator  also  has  both  of  these  properties,  since 
it  picks  the  opinion  with  the  highest  confidence.  So,  it  is  essentially  equivalent  to  a 
max  operation.  The  distributivity  of  ©  over  ©  is  proven  as  follows  (We  can  assume, 
without  loss  of  generality,  that  eg  >  eg ,  or  c g  =  eg  and  fg  >  fg): 


So,  we  have  proven  that: 


(Uk,  cik)  ®  (( tpk ),  eg)  ©  (fg,  eg))  =  ((tik,  cik)  ©  (fg,  eg))  ©  ((tik,  cik )  ©  (fg,  eg.)) 


3.3.3  Distance  semiring 

Our  second  choice  is  a  semiring  based  on  the  Expectation  semiring  defined  by  Eisner 
in  [15],  and  used  for  speech/language  processing: 

(cq,  &i)  ©  («2,  bf)  =  (01&2  +  02^1,  bfiof) 

(01,  bfi)  ©  (o2,  bf)  =  (01  +  a2,  b\  +  62) 
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The  opinion  space  is  S  —  [0,  oo]  x  [0,1].  Before  using  this  semiring,  the  pair 
(trust,  confidence) = (t,  c)  is  mapped  to  the  weight  ( c/t,c ).  The  motivation  for  this 
mapping  becomes  clear  when  we  describe  its  effect  on  the  results  of  the  operators. 
The  binary  operators  are  then  applied  to  this  weight,  and  the  result  is  mapped  back 
to  a  (trust,  confidence)  pair. 
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Figure  3.4:  ©  and  ©  operators  for  the  Distance  semiring 
So,  when  aggregating  along  a  path,  both  the  trust  and  the  confidence  decrease. 
The  component  trust  values  are  combined  like  parallel  resistors.  We  can  see  here 
the  effect  of  the  mapping:  Two  resistors  in  parallel  offer  lower  resistance  than  either 
of  them  in  isolation.  Also,  a  zero  trust  value  in  either  opinion  will  result  in  a  zero 
trust  value  in  the  resulting  opinion  (absorbing  element),  while  a  trust  value  equal  to 
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infinity  will  cause  the  corresponding  opinion  to  disappear  from  the  result  (neutral 
element).  On  the  other  hand,  the  component  confidence  values  are  between  0  and 
1,  and  they  are  multiplied,  so  the  resulting  confidence  value  is  smaller  than  both. 

When  aggregating  across  paths,  the  total  trust  value  is  the  weighted  harmonic 
average  of  the  components,  with  weights  according  to  their  confidence  values.  So, 
the  result  is  between  the  two  component  values,  but  closer  to  the  more  confident 
one.  Again  we  can  see  the  effect  of  the  mapping:  The  weighted  harmonic  average 
outcome  is  a  direct  result  of  the  inverse  mapping.  Note,  also,  the  behavior  caused 
by  extreme  (zero  or  infinity)  trust  values:  A  zero  trust  value  dominates  the  result 
(unless  its  corresponding  confidence  is  zero);  a  trust  value  equal  to  infinity  results  in 
an  increase  in  the  trust  value  given  by  the  other  opinion.  In  order  for  the  resulting 
trust  value  to  be  the  maximum  possible,  both  opinions  have  to  assign  the  maximum. 
So,  in  general,  we  can  say  that  this  operator  is  conservative.  A  zero  confidence  value 
(neutral  element)  causes  the  corresponding  opinion  to  disappear  from  the  result. 

Verification  of  the  semiring  properties 

The  neutral  elements  are:  ©  =  (0,  0)  and  Q  =  (0, 1),  which  we  can  verify  by  direct 
substitution. 

Because  of  their  symmetry,  both  operators  are  commutative.  The  ©  operator 
is  trivially  associative,  and  here  is  the  proof  for  the  associativity  of  <g>: 

((^1,  W)  ®  (a2,  62))  ®  («3,  ^3)  —  (oi&2  +  0'2^1)  &1&2)  ®  (a3>  ^3) 

=  ( aib2b3  +  a2bib3  +  a3bib2 ,  M2&3) 
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(oi,  bi)  ®  ((a2,  b2)  ®  (a3,  63))  —  (ai,  61)  (8)  (0263  +  0362,  6263) 


=  (016263  +  a2b1b3  +  a36i62,  6i6263) 

We  now  prove  that  ©  distributes  over  ©: 

(®1,  b\)  ©  ((a2,  62)  ©  (a3)  63))  —  (ai,  61)  ©  (c*2  +  «3,  b2  +  63) 

—  (®i ip2  +  63)  +  b\(a2  +  a3),  61(62  +  63)) 
((ai,  61)  ©  (a2,  62))  ©  ((ai,  61)  ©  (a3,  63))  =  (ai62  +  a26i,  b\b2)  ©  (ai63  +  a36i,  6163) 

=  (dib2  +  a26i  +  ai63  +  u36i,  b\b2  +  61 63 ) ) 

—  (01(62  +  63)  +  61  (a2  +  o3),  6i(62  +  63)) 

3.3.4  Computation  algorithm 

The  following  algorithm,  due  to  Mohri  [38],  computes  the  ©-sum  of  all  path  weights 
from  a  designated  node  s  to  all  other  nodes  in  the  trust  graph  G  =  (V,  E ) . 
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Generic-Single-Source-Shortest-Distance(G,  s) 


1  for  i  1  to  \V\ 

2  do  d[i]  <—  r[i ]  (0) 

3  d[s\  r[s]  ® 

4  £<-{«} 

5  while  S  ^  0 

6  do  q  <—  head(S) 

7  Dequeue(S') 

8  r'  r[g] 

9  r[g]  © 


10 

for  each  v  G  Neighbors  [g] 

11 

do  if  d[v]  ^  d[v]  ©  (V  ©  w[(q,  u)]) 

12 

then  d[v\  d[v]  ©  (V  ©  w[(q,  v)]) 

13 

r[v]  <—  r[v\  ©  (V  ©  w[(q,  n)]) 

14 

if  v  is 

15 

then  Enqueue(S',  v) 

16  d[s]  <■ 

This  is  an  extension  to  Dijkstra’s  algorithm  [14].  S'  is  a  queue  that  contains 
the  vertices  to  be  examined  next  for  their  contribution  to  the  shortest  path  weights. 
The  vector  d[i\,i  G  V  holds  the  current  estimate  of  the  shortest  distance  from  s  to  i. 
The  vector  r[i\,i  G  V  holds  the  total  weight  added  to  d[i]  since  the  last  time  i  was 
extracted  from  S.  This  is  needed  for  non-idempotent  semirings,  such  as  the  second 
one  proposed. 
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Our  computation  algorithm  is  based  on  Mohri’s,  but  with  three  adjustments 
which  are  needed  when  considering  the  problem  from  the  perspective  of  trust.  Lines 
11-13  of  the  algorithm  will  be  referred  to  as  ’'node  q  votes  for  node  v” . 

First  of  all,  some  nodes  may  be  prevented  from  voting.  Only  if  a  node’s  trust 
value  exceeds  a  predefined  trust  threshold,  is  the  node  allowed  to  vote.  This  is 
motivated  from  the  common  sense  observation  that  only  good  nodes  should  partic¬ 
ipate  in  the  computation,  and  bad  nodes  should  be  barred.  Note  that  there  is  no 
restriction  on  the  corresponding  confidence.  This  will  initially  lead  to  bad  nodes 
being  allowed  to  vote,  but  after  some  point  they  will  be  excluded  since  good  nodes 
will  acquire  evidence  for  their  maliciousness. 

Second,  no  node  is  allowed  to  vote  for  the  source  (s).  Since  it  is  s  that  initiates 
the  computation,  it  does  not  make  sense  to  compute  s’s  opinion  for  itself. 

Third,  no  cyclic  paths  are  taken  into  account.  If  that  were  the  case,  we  would 
be  allowing  a  node  to  influence  the  opinion  about  itself,  which  is  undesirable.  Un¬ 
fortunately,  there  is  no  clear  way  to  discard  any  single  edge-opinion  of  the  cycle.  So, 
the  approach  taken  is  to  discard  any  edges  that  would  form  a  cycle  if  accepted.  As 
a  result,  the  order  in  which  the  voters  are  chosen  in  line  6  is  important.  We  argue 
that  it  makes  sense  to  choose  the  node  for  which  the  confidence  is  highest. 

Note  that  these  adjustments  introduce  characteristics  from  the  Path  semiring 
into  the  Distance  semiring.  For  example,  the  node  with  the  maximum  confidence 
gets  to  vote  first.  Moreover,  some  paths  are  pruned  which  means  that  fewer  messages 
are  exchanged,  thus  saving  bandwidth,  but  also  some  of  the  existing  information  is 
not  taken  into  account.  In  general,  this  combination  of  the  two  semirings  seems  to 
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be  a  good  tradeoff  between  the  two. 
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Chapter  4 

Evaluation  and  Experimental  Results 

In  this  chapter,  we  are  describing  the  scenarios  that  were  examined  in  the  simula¬ 
tions.  The  results  obtained  are  discussed,  and  explained  in  terms  of  the  parameters 
and  properties  of  the  algorithms. 

4.1  Good  and  Bad  Nodes 

We  assume  that  some  nodes  are  Good,  and  some  are  Bad.  Good  nodes  adjust  their 
direct  opinions  (opinions  for  their  neighbors)  according  to  some  predefined  rules 
(explained  in  Section  4.2).  Bad  nodes,  however,  always  have  the  best  opinion  (1, 1) 
for  their  neighboring  Bad  nodes,  and  the  worst  opinion  (0, 1)  for  their  neighboring 
Good  nodes. 

We  expect  that  the  opinions  of  a  Good  node  for  all  other  nodes  would  evolve 
as  in  Figure  4.1.  That  is,  all  Good  and  all  Bad  nodes  will  be  identihed  as  Good  and 
Bad,  respectively. 

4.2  Simulation  details 

When  the  network  is  ’’born”,  the  nodes  are  partitioned  into  Good  and  Bad.  We 
pick  a  Good  node,  which  will  be  computing  indirect  opinions  to  all  other  nodes. 
Initial  direct  opinions  are  all  set  to  (0.5,  0.1),  i.e.  medium  trust  and  low  confidence. 
The  trust  threshold,  which  decides  which  nodes  are  allowed  to  vote,  is  empirically 
set  to  0.3.  Time  is  discrete  and  is  measured  in  rounds.  At  each  round,  two  things 
happen.  First,  the  direct  opinions  of  each  node  for  his  neighbors  approach  the  correct 
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BAD  GOOD 


Figure  4.1:  Opinion  convergence.  Opinions  for  good  nodes  are  black,  opinions  for 
bad  nodes  are  red. 

opinion,  which  is  (0, 1)  for  the  bad  neighbors,  and  (1, 1)  for  the  good  neighbors. 
Second,  the  designated  good  node  calculates  his  indirect  opinions  for  all  other  nodes. 
These  indirect  opinions  are  the  experimental  results  shown  in  Section  4.3.  Also,  the 
confidence  for  some  indirect  opinions  may  be  too  low  (within  e  =  0.01  of  zero),  so 
these  nodes  are  not  assigned  any  opinion. 

The  most  important  evaluation  metric  is  whether  the  nodes  are  correctly  clas¬ 
sified  as  good  and  bad.  In  other  words,  we  want  the  opinions  for  all  bad  nodes  to 
be  close  to  (0, 1)  and  the  opinions  for  all  good  nodes  close  to  (1, 1).  Moreover,  we 
want  this  to  happen  as  soon  as  possible,  i.e.  before  all  direct  opinions  converge  to 
the  correct  ones,  since  the  users  in  the  real  network  may  be  forced  to  make  an  early 
trust  decision.  Furthermore,  a  failsafe  is  desirable:  If  trust  evidence  is  insufficient, 
we  prefer  not  to  make  any  decision  about  a  node,  rather  than  make  a  wrong  one. 
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Of  course,  we  have  to  evaluate  the  robustness  of  each  of  the  above  mentioned 
metrics  as  the  proportion  of  bad  nodes  increases.  We  also  measure  the  effect  of 
different  trust  topologies.  Namely,  three  topologies  are  selected:  Grid,  Random, 
and  Small  World.  The  Grid  and  Random  topologies  can  be  seen  as  two  extremes  of 
a  spectrum.  On  the  one  hand,  the  Grid  is  completely  symmetric  and  deterministic: 
We  are  using  a  10x10  square  for  100  nodes.  Each  node,  except  the  perimeter  nodes, 
has  exactly  8  neighbors.  On  the  other  hand,  the  Random  topology  was  constructed 
so  that  the  average  degree  is  again  8,  but  this  symmetry  is  completely  probabilistic. 
Each  edge  has  the  same  probability  of  existing,  according  to  the  Erdos-Renyi  model 
[16].  The  Small  World  topology  [45]  is  between  these  two  extremes,  in  the  sense 
that  there  are  a  few  nodes  that  have  a  high  degree,  and  all  the  rest  have  much  fewer 
neighbors.  In  this  case,  too,  the  average  degree  is  8.  The  Small  World  topology  for 
trust  has  also  been  used  in  [23]. 

4.3  Results 

In  this  section  we  present  the  results  obtained  from  the  simulations.  For  each  of 
the  three  topologies  (Grid,  Random,  Small  World),  the  percentage  of  bad  nodes  is 
increased  from  10%  to  50%  to  90%.  The  figures  show  the  opinions  of  the  source 
node  (s)  for  every  other  node  after  the  computations  of  rounds  10,  20, ...,  90,  95,  99. 
The  nodes  originally  designated  as  Good  appear  in  black,  whereas  the  Bad  ones 
appear  in  red.  The  aim  is,  first  and  foremost,  for  the  black  nodes  to  be  separated 
from  the  red  ones.  Also,  the  black  nodes  should  be  as  close  as  possible  to  the  upper 
right  corner  (GOOD  corner,  corresponding  to  the  (1, 1)  opinion),  and  the  red  nodes 
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to  the  upper  left  corner  (BAD  corner,  (0, 1)  opinion). 
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Figure  4.2:  Grid:badl:Rounds(10-20) 
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Figure  4.3:  Grid:badl:Rounds(30-40) 
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Figure  4.4:  Grid:badl:Rounds(50-60) 
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Figure  4.5:  Grid:badl:Rounds(70-80) 


0.8  — 

,  *  •«#  •  •• 

0.6  —  s 

0.4  — I 
0.2- 
0- 

0  0.2  0.4  0.6  0.8  1 


... 


l  - 

0.8  Hi  .. 

0.6  J  »r*' 

0.4  H 
0.2- 
0- 


0  0.2  0.4  0.6  0.8  1 


Figure  4.6:  Grid:badl:Rounds(90-95) 
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Figure  4.7:  Grid:badl:Round(99)AndClassifiedNodes 
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Figure  4.8:  Grid:bad5:Rounds(10-20) 


Figure  4.9:  Grid:bad5:Rounds(30-40) 
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Figure  4.10:  Grid:bad5:Rounds(50-60) 
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Figure  4.11:  Grid:bad5:Rounds(70-80) 
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Figure  4.12:  Grid:bad5:Rounds(90-95) 
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Figure  4.13:  Grid:bad5:Round(99)AndClassifiedNodes 
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Figure  4.14:  Grid:bad9:Rounds(10-20) 


Figure  4.15:  Grid:bad9:Rounds(30-40) 
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Figure  4.16:  Grid:bad9:Rounds(50-60) 


Figure  4.17:  Grid:bad9:Rounds(70-80) 


Figure  4.18:  Grid:bad9:Rounds(90-95) 
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Figure  4.19:  Grid:bad9:Round(99)AndClassifiedNodes 
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Figure  4.20:  SmallWorld:badl:Rounds(10-20) 
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Figure  4.21:  SmallWorld:badl:Rounds(30-40) 
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Figure  4.22:  SmallWorld:badl:Rounds(50-60) 
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Figure  4.23:  SmallWorld:badl:Rounds(70-80) 
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Figure  4.24:  SmallWorld:badl:Rounds(90-95) 
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Figure  4.25:  SmallWorld:badl:Round(99)AndClassifiedNodes 
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Figure  4.26:  SmallWorld:bad5:Rounds(10-20) 


Figure  4.27:  SmallWorld:bad5:Rounds(30-40) 
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Figure  4.28:  SmallWorld:bad5:Rounds(50-60) 


0  0.2  0.4  0.6  0.8  1 


Figure  4.29:  SmallWorld:bad5:Rounds(70-80) 
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Figure  4.30:  SmallWorld:bad5:Rounds(90-95) 
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Figure  4.31:  SmallWorld:bad5:Round(99)AndClassifiedNodes 
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Figure  4.32:  SmallWorld:bad9:Rounds(10-20) 
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Figure  4.33:  SmallWorld:bad9:Rounds(30-40) 
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Figure  4.34:  SmallWorld:bad9:Rounds(50-60) 
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Figure  4.35:  SmallWorld:bad9:Rounds(70-80) 
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Figure  4.36:  SmallWorld:bad9:Rounds(90-95) 
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Figure  4.37:  SnmllWorld:bad9:Round(99)AndClassifiedNodes 
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Figure  4.38:  Random:badl:Rounds(10-20) 
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Figure  4.39:  Random:badl:Rounds(30-40) 
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Figure  4.40:  Random:badl:Rounds(50-60) 


Figure  4.41:  Random : bad  1: Rounds (70- 80) 
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Figure  4.42:  Random:badl:Rounds(90-95) 
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Figure  4.43:  Random:badl:Round(99)AndClassifiedNodes 
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Figure  4.44:  Random:bad5:Rounds(10-20) 


Figure  4.45:  Random:bad5:Rounds(30-40) 
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Figure  4.46:  Random:bad5:Rounds(50-60) 


Figure  4.47:  Random :bad5: Rounds (70- 80) 
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Figure  4.48:  Random:bad5:Rounds(90-95) 
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Figure  4.49:  Random:bad5:Round(99)AndClassifiedNodes 
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Figure  4.50:  Random:bad9:Rounds(10-20) 
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Figure  4.51:  Random:bad9:Rounds(30-40) 
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Figure  4.52:  Random:bad9:Rounds(50-60) 


Figure  4.53:  Random :bad9: Rounds (70- 80) 


Figure  4.54:  Random:bad9:Rounds(90-95) 
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Figure  4.55:  Random:bad9:Round(99)AndClassifiedNodes 
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4.4  Discussion 


We  can  observe  some  general  trends  in  the  diagrams  shown.  First  of  all,  in  the 
early  rounds  Good  and  Bad  nodes  are  intermixed:  there  is  no  clear  separating  line. 
Even  more,  Bad  nodes  seem  to  be  given  better  opinions  than  Good  nodes,  which  is 
clearly  undesirable.  The  explanation  for  this  is  based  on  two  aspects  of  the  scheme; 
namely,  the  trust  threshold  and  the  Bad  nodes’  way  of  assigning  direct  opinions. 
Initially,  Bad  nodes  are  allowed  to  vote,  since  the  trust  threshold  (0.3)  is  lower  than 
the  initial  default  trust  value  (0.5),  i.e.  they  have  not  been  ’’discovered”  yet.  So, 
their  (0, 1)  opinions  for  Good  nodes  are  taken  into  account  and  the  result  is  that 
Good  nodes  appear  to  be  bad.  Also,  Bad  nodes  give  (1,1)  opinions  to  each  other, 
hence  reinforcing  each  other. 

The  situation  in  later  rounds  improves.  The  Good  nodes  move  towards  the 
upper  right  corner,  the  Bad  ones  towards  the  upper  left.  There  is  also  a  clear 
separating  line  between  the  two  groups  of  nodes.  For  an  actual  implementation  a 
practical  guideline  could  be  derived  from  the  above  observation,  i.e.  to  be  especially 
careful  when  making  important  trust  decisions  in  early  rounds.  The  trust  compu¬ 
tation  may  be  based  on  too  little  raw  evidence  (direct  opinions)  to  be  relied  upon. 
In  all  cases,  however,  the  Good  and  Bad  nodes  are  separated  eventually  (in  the  last 
rounds).  This  serves  as  a  sanity  check  for  the  algorithm. 

As  the  percentage  of  Bad  nodes  increases,  we  can  see  that  the  separation  is  still 
successful  sooner  or  later,  but  the  main  observation  is  that  the  number  of  classified 
nodes  is  decreasing,  especially  for  the  Grid  topology.  Classified  nodes  are  those  for 
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which  the  evidence  was  sufficient,  i.e.  the  confidence  of  the  source’s  opinion  for 
them  was  more  than  e  =  0.01.  The  following  graphs  show  the  number  of  nodes 
classified  in  each  topology,  for  different  percentages  of  Bad  nodes,  after  every  round 
of  computation.  The  general  effect  of  Bad  nodes  on  the  number  of  classified  nodes 
is  that,  after  they  are  discovered,  they  block  the  trust  paths  they  are  on  since  they 
are  not  allowed  to  vote.  So,  nodes  that  are  further  away  from  the  source  than  these 
Bad  nodes  can  be  reached  by  fewer  paths.  They  may  even  be  completely  isolated. 
In  any  case,  the  confidence  in  the  source’s  opinion  for  them  is  decreased,  so  some  of 
them  cannot  be  classified. 

The  Random  topology  performs  best,  because  it  is  less  affected  by  Bad  nodes. 
This  topology  has  a  relatively  short  average  path  length  between  the  source  (s)  and 
all  other  nodes,  so  confidence  values  for  opinions  are  not  too  low.  At  the  same  time, 
it  does  not  rely  on  information  provided  by  any  single  node  or  small  set  of  nodes. 
The  links  are  random,  so  every  node  is  reached  through  different  paths. 

The  average  path  length  from  the  source  is  the  main  defect  of  the  Grid  topol¬ 
ogy,  since  for  certain  nodes  it  may  be  large.  If  this  is  coupled  with  Bad  nodes 
blocking  some  of  the  paths,  the  confidence  values  for  nodes  that  are  away  from  the 
source  is  dropping  considerably.  The  more  bad  nodes,  the  more  pronounced  this 
effect  is.  So,  the  Grid  topology  performs  worst  of  all. 

As  far  as  the  Small  World  topology  is  concerned,  the  path  length  is  short, 
since  there  are  some  highly  connected  nodes.  So,  it  performs  better  than  the  Grid 
topology.  However,  it  is  exactly  these  highly  connected  nodes  that  degrade  the 
performance  of  the  computation  when  they  are  Bad.  The  reason  is,  again,  that  they 


block  many  paths  and  affect  opinions  for  most  nodes.  If  the  majority  of  these  highly 
connected  nodes  are  Bad,  few  trust  paths  will  be  able  to  be  established. 

The  90%  bad  node  case  is  interesting  to  examine  specifically.  First,  there  is  a 
sudden  drop  in  the  number  of  classified  nodes  between  rounds  30  and  40.  This  is 
so,  because  at  this  point  the  opinions  for  Bad  nodes  acquire  trust  values  that  are 
lower  than  the  trust  threshold,  so  they  become  ineligible  to  vote. 

Second,  and  more  intriguing,  is  that  the  Random  topology  becomes  equivalent 
to  the  Grid  topology,  and  the  Small  World  topology  performs  better  than  both.  The 
explanation  is  that  almost  all  nodes  are  Bad,  so  only  nodes  one  or  (rarely)  two  hops 
away  from  the  source  can  be  classified.  This  is  true  for  all  topologies.  But  the 
Grid  nodes  have  exactly  8  neighbors,  and  all  Random  nodes  have  approximately  8 
neighbors,  too.  So,  the  number  of  classified  nodes  turns  out  to  be  around  20.  On 
the  other  hand,  in  the  Small  World  topology  the  source  node  is  one  of  the  highly 
connected  nodes  (19  neighbors,  when  the  average  degree  is  8).  So,  all  of  the  19 
neighbors,  and  some  of  the  nodes  that  are  two  hops  away  are  classified  for  a  total 
of  about  40  nodes.  A  practical  guideline  for  the  Small  World  topology  would  then 
be  that  highly  connected  nodes  should  be  protected,  better  prepared  to  withstand 
attacks,  or,  in  general,  less  vulnerable. 
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Figure  4.56:  Node  classification,  10%  bad  nodes 


Figure  4.57:  Node  classification,  50%  bad  nodes 


Figure  4.58:  Node  classification,  90%  bad  nodes 
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Chapter  5 

Conclusion  and  Future  Work 

In  this  chapter  we  derive  conclusions  based  on  the  goals  we  set  for  this  work,  as 
mentioned  in  the  Introduction,  and  discuss  in  what  degree  these  goals  were  met  by 
our  proposed  scheme. 

5.1  Conclusion 

We  have  presented  a  scheme  for  evaluating  trust  evidence  in  Ad-Hoc  networks.  Our 
scheme  is  entirely  based  on  information  originating  at  the  users  of  the  network.  No 
centralized  infrastructure  is  required,  although  the  presence  of  one  can  certainly  be 
utilized.  Also,  users  need  not  have  personal,  direct  experience  with  every  other  user 
in  the  network  in  order  to  compute  an  opinion  about  them.  They  can  base  their 
opinion  on  second-hand  evidence  provided  by  intermediate  nodes,  thus  benefiting 
from  other  nodes’  experiences.  Of  course,  we  are  taking  into  account  the  fact  that 
second-hand  (or  third,  or  fourth...)  evidence  is  not  as  valuable  as  direct  experience. 
In  this  sense,  our  approach  extends  PGP,  since  PGP  only  uses  directly  assigned 
trust  values. 

At  each  round  of  computation,  the  source  node  computes  opinions  for  all 
nodes.  This  means  that  information  acquired  at  a  single  round  can  be  stored  and 
subsequently  used  for  many  trust  decisions.  If  there  is  not  enough  evidence  to 
determine  an  opinion,  then  no  opinion  is  formed.  So,  when  malicious  nodes  are 
present  in  the  network  they  cannot  fool  the  system  into  accepting  a  malicious  node  as 
benevolent.  A  failsafe  state  exists  that  ensures  graceful  degradation  as  the  number 
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of  adversaries  increases.  The  trust  topology  also  has  significant  influence  on  the 
performance  of  the  algorithm.  We  have  seen  that  if  any  node  can  be  malicious  with 
the  same  probability,  the  Random  topology  performs  better.  On  the  other  hand,  if 
the  highly  connected  nodes  of  the  Small  World  topology  are  Good,  the  algorithm 
fares  better  at  the  crucial  cases  of  malicious  node  preponderance. 

5.2  Future  Work 

In  future  work,  we  plan  to  implement  more  elaborate  models  for  the  attackers’ 
behavior,  and  for  the  measures  taken  against  nodes  that  are  being  assigned  low 
trust  values  (i.e.,  detected  to  be  bad).  So,  the  attackers  will  be  facing  a  tradeoff 
between  the  amount  of  damage  they  can  inflict,  and  the  possibility  of  being,  for 
instance,  isolated  from  the  rest  network.  Suitable  strategies  will  be  developed  for 
Good  as  well  as  Bad  nodes. 
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